https://community.splunk.com/t5/Getting-Data-In/whitelist-and-blacklist-input/m-p/95199#M19832 <P>Hi, I am trying to construct an input.conf stanza + whitelist/blacklist rule to look for the following:</P> <P>accept all <EM>**.log</EM>* files but specifically ignore<BR /> <STRONG>log4j.log, broker.log, somefile.log</STRONG></P> <P>This is how the input.conf file looks like right now:</P> <PRE><CODE>[monitor://D:\ProgramName\logs] whitelist=\.log$ blacklist=log4j|broker|somefile disabled=false sourcetype=newsourcetype </CODE></PRE> <P>but at the moment it doesnt look like anything is being picked up with this combination. I have confirmed that the universal forwarder has installed this app. </P> Mon, 15 Apr 2013 21:24:46 GMT virtualpony 2013-04-15T21:24:46Z https://community.splunk.com/t5/Getting-Data-In/whitelist-and-blacklist-input/m-p/95199#M19832 <P>Hi, I am trying to construct an input.conf stanza + whitelist/blacklist rule to look for the following:</P> <P>accept all <EM>**.log</EM>* files but specifically ignore<BR /> <STRONG>log4j.log, broker.log, somefile.log</STRONG></P> <P>This is how the input.conf file looks like right now:</P> <PRE><CODE>[monitor://D:\ProgramName\logs] whitelist=\.log$ blacklist=log4j|broker|somefile disabled=false sourcetype=newsourcetype </CODE></PRE> <P>but at the moment it doesnt look like anything is being picked up with this combination. I have confirmed that the universal forwarder has installed this app. </P> Mon, 15 Apr 2013 21:24:46 GMT https://community.splunk.com/t5/Getting-Data-In/whitelist-and-blacklist-input/m-p/95199#M19832 virtualpony 2013-04-15T21:24:46Z https://community.splunk.com/t5/Getting-Data-In/whitelist-and-blacklist-input/m-p/95200#M19833 <P>Try :</P> <PRE><CODE>[monitor://D:\ProgramName\logs\*.log] blacklist = (log4j|broker|somefile) disabled=false sourcetype=newsourcetype </CODE></PRE> <P>Also you might want to review these : </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata">Whitelist or blacklist specific incoming data</A></P> <P><A href="http://docs.splunk.com/Documentation/Splunk/5.0.2/Data/Editinputs.conf">Edit Inputs.conf</A></P> Tue, 16 Apr 2013 12:57:33 GMT https://community.splunk.com/t5/Getting-Data-In/whitelist-and-blacklist-input/m-p/95200#M19833 JSapienza 2013-04-16T12:57:33Z https://community.splunk.com/t5/Getting-Data-In/whitelist-and-blacklist-input/m-p/95201#M19834 <P>Sorry, this doesn't work either.</P> Tue, 16 Apr 2013 18:39:13 GMT https://community.splunk.com/t5/Getting-Data-In/whitelist-and-blacklist-input/m-p/95201#M19834 virtualpony 2013-04-16T18:39:13Z https://community.splunk.com/t5/Getting-Data-In/whitelist-and-blacklist-input/m-p/95202#M19835 <P>Well then there is another underlying issue because that is a valid input stanza. Are other files/directories being monitored on this machine and is that data visible from the search-head? Is this a manual deploy or are you using deployment server to push your changes ?</P> Tue, 16 Apr 2013 18:55:08 GMT https://community.splunk.com/t5/Getting-Data-In/whitelist-and-blacklist-input/m-p/95202#M19835 JSapienza 2013-04-16T18:55:08Z